Victor Duchovni wrote: > There is a huge install-base of systems on which SHA-2 > certs will failed SSL handshakes. When Windows XP > systems are <1% of the install-base, when OpenSSL > 0.9.8 is <1% of the install-base and 0.9.9 too (if the > support is not added before it goes official)
It is now 2009. SHA-1 came under attack in 2005. That SHA-1 has been attacked, and SHA-2 not attacked, was evidence for the strength of SHA-2. Why did OpenSSL not support SHA-2 in 2006? Institutional paralysis? Protocol negotiation issues? Protocol negotiation issues that involved vested interests resulting in institutional paralysis? We cannot know why Microsoft acted as it acted, but if OpenSSL is open, we should be able to know why OpenSSL did even worse than Microsoft. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com